Let developers to call JS methods on limited JS objects #580
Comments
|
Sounds good. In case of lodash probably there are no harmful functions, but in general it would be good to have |
|
Cool! Any insights on how can we implement this feature? I was looking at the |
|
I envision const vmContext = {
customResources: [
'lodash': jsModuleInterop('lodash', ['sort', 'unique'])`
]
...
}What |
|
This way we don't need to add a hack with additional checks for function names in runtime. We use an existing mechanism instead. |
|
That's cool, however I've got an additional question. What do you mean by resource properties? I mean at the moment one resource could have just a single |
|
@czerwinskilukasz1 maybe another option would be to add a support for something like JS scripting inside AskQL? I mean something like: when used within the AskScript the JS interpreter like jerryScript or JS-interpreter is being used to execute the scope - isolated from the main Node process. |
Actually, I should have written 'dictionary' rather than 'resource', so that
If we allow to run an arbitrary Javascript code, we would need to make sure that it cannot make nasty things on the server, e.g. access files, write/read files, open ports etc., e.g using os or net packages, which are available by default. Then, we would need to either whitelist only specific packages or block any |
|
@pkarw seems like this can be done in user space with a resource factory that accepts an object, for example: function myResourceFactory(module) {
const res = {}
Object.keys(module).forEach((k) => {
res[k] = resource({
type: any,
async resolver(...args: any) {
return module[k](...args);
},
});
});
return res;
}
const result = await askql.runUntyped(
{
resources: {
...myResourceFactory(lodash),
...askql.resources,
}
},
askql.parse("ask { 'hello world!' }")
);The design decision with AskQL was to have a separate computing environment from JavaScript (or any other host programming language) and therefore it would be troublesome to do a direct linking. All callable host methods would need to go through an explicit wrapper which allows for security measures. With the method above it perhaps becomes easier to add multiple resources at the same time. Although, for full support of what you're asking for with namespaces would need to solve #579 first. |
|
Perfect fit @mhagmajer. Thanks! |
Is your feature request related to a problem? If yes, please describe the problem.
It would be great if we could pass over some libraries - take the
lodashto AskQL and let the developers use all the functions provided, without the need to pack every call with a painstakingly created resource (current case). It could be pretty much useful for using the external services APIs likecommercetools sdkor ORMs generated from tools likePrismaTo keep it safe we can let call just the top-level functions, or add whitelisting + only on the explicitly passed resources like:
where the
jsModuleInteropis a wrapper over the JS object accepting the object (in this case_- lodash module, plus a whitelist of methods)The text was updated successfully, but these errors were encountered: